Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
8/27/2015
09:05 AM
Gavin Millard
Gavin Millard
Partner Perspectives
50%
50%

Flash: Web Browser Plugins Are Vulnerable

Maybe it's time to uninstall Flash for those that don't need it and continuously monitor those that do.

Adobe Flash has been in the press a lot recently after zero day vulnerabilities were disclosed. Facebook's CISO is calling for an end of life date, and Brian Krebs, the well-known infosec journalist (along with many others), is calling for everyone to uninstall the software. Flash has had major vulnerabilities in the past; everyone is used to seeing the almost daily popup from Adobe requesting an install of the latest version, so why all the sudden momentum?

When the treasure trove of information from the Hacking Team breach was reviewed by eagle-eyed researchers, they discovered that the security company of choice for dictatorships had three previously undisclosed and unpatched vulnerabilities they’d be leveraging to infect targets. The vulnerabilities were bad; in fact the Hacking Team described one as, “the most beautiful Flash bug for the last four years.” The 400GB data dump also included handy, proof of concept code that was quickly rolled into the Angler and Neutrino exploit kits before Adobe even had a chance to release an updated version of Flash to fix the “beautiful bug.”

The first stage of an attack is often the initial foothold, getting a malicious virtual foot in the door. For a targeted attack, this foothold is frequently established by phishing or social engineering, persuading a hapless employee to give up credentials, click on a link, plug in a dodgy USB device, or download and run malicious code. If we look at the famous RSA breach of a few years ago, the initial intrusion was allegedly via an email containing a spreadsheet of salaries; the desire for employees to get a glimpse of their peers’ earnings was tempting enough for them to ignore all the training they’d had from the security team.

Manipulation of “Layer 8” insecurities is a frequently leveraged approach to breaking in, but why go to that effort when easily exploitable and unpatched browser or plugin vulnerabilities are running on millions of laptops? Cybercriminals will often take the easy path to infection, targeting the low hanging fruit with off-the-shelf malware, rather than create bespoke, complex and targeted code. We hear so much about Advanced Persistent Threats, but for the majority of users, intrusions are more likely to come from leveraging a known, and easily exploitable, vulnerability.

Uninstall Flash Unless It Is Required

If there are no fixes available or the patch rate is greater than a few days to deploy the ones that are, what can be done to protect users from this increasing threat vector? Uninstalling vulnerable software is a viable option, but many still require it for their day-to-day work to use business critical systems, and for playing browser games. Disabling Flash or “Click-to-Play” is another option, but users can easily be manipulated into running the Flash player. Anti-malware solutions offer some protection, but even if they are deployed and up to date, they are often behind the curve of detecting the latest obfuscation techniques utilized by the exploit kit authors. If you can’t prevent, you need to detect. 

Utilize Strong Detective Controls On Systems Where Flash Is Required

The ability to detect indicators of compromise --  unexpected autoruns, malicious known code missed by AV software, connections to Command and Control servers often utilized by attackers -- have increased by leaps and bounds in the last few years and should be considered in any defense in-depth strategy. Deploying robust detective controls utilizing these approaches alongside traditional preventive and corrective controls should help decrease the risk of unknown or unpatched client side vulnerabilities being used as the initial foothold many fear.

One major concern surrounding the use of detective controls is the false positive issue causing security analysts to drown under the weight of alerts from the different threat intelligence feeds and logs. This is where context is critical. One approach for focusing on the risky rather than the risk-free, is to identify systems that are using known browser plugins targeted by malware authors, or out of date browsers that are easily attacked, and then to leverage this context for elevating alerts of possible indicators of compromise on those affected systems.

Visibility is another concern. What about all those remote workers who are now a favored target because they are less protected than their counterparts in corporate headquarters? Agents installed on their devices can collect vulnerability information, software inventory, configuration issues and the indicators of compromise. Agents should always be considered in a rigorous detective control program, and the collected data should be sent back to corporate for correlation and prioritization.

Since Steve Jobs made the controversial decision to keep Flash off Apple’s shiny iOS devices, many mainstream websites have made the move to HTML5 or alternate technologies to support the millions of devoted fans of all things “i.” Maybe it’s time to uninstall Flash for those that don’t need it and continuously monitor for indicators of compromise for those that do.

Gavin Millard is a trained, ethical hacker who works with medium and large enterprises to address their cybersecurity challenges. With a deep understanding of how attackers plot a breach, he helps bring these companies to a trusted state of IT infrastructure. He previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sdecatur328
100%
0%
sdecatur328,
User Rank: Apprentice
8/27/2015 | 9:46:30 AM
Oxymorons
Funny how a website article about the vulnerability of Flash, wants you to run the add-on Adobe Flash Player from Adobe Systems Incorporated...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...